Carvana

About Carvana

If you like disrupting the norm and are looking for a company revolutionizing an industry then you will LOVE what Carvana has done for the car buying experience. Buying a car the old fashioned way sucks and we are working hard to make it NOT suck. At Carvana, our customers can hop online to...

• Search and browse our inventory of over 20,000 vehicles that we own and certify.
• Narrow down search results using highly intelligent filtering tools/components.
• View vehicle details, Carfax reports, and 360 rotating studio images for every vehicle.
• Secure financing in minutes using Carvana’s in-house service or their own bank.
• Interact with GUI components to easily customize loan length, down payment, and monthly payment.
• Generate, upload, and eSign all documents online (no ink necessary).
• Schedule front door delivery or pick up at one of our vending machines.
• Trade-in their existing vehicle or just sell it to Carvana (no purchase necessary).

For more information on Carvana and our mission, sneak a peek at our company introduction video or learn more about what it’s like to work here from the people that already do. 

About the team and position

We are hiring an Application Security Engineer, Information Security to join our Information Security Team. In this role, you will be responsible for ensuring that our applications, services, and websites are designed and implemented with security by design. In this role, you will be responsible for discovering and addressing security risks, issues, and threats, building security automation to enable secure development lifecycle, and evangelizing security with our engineering teams. 

What you’ll be doing

• Engineer, design, implement and configure security into the Secure Software Development Lifecycle (SSDLC) to ensure security by design. 
• Execute security reviews, including but not limited to, requirements review, threat model, static code analysis, dynamic code analysis, etc.
• Introduce and implement security controls into the CI/CD pipeline and partner with engineering teams to increase adoption of automated security controls in CI/CD pipeline. 
• Work independently and collaboratively to discover and remediate security risks and vulnerabilities discovered. 
• Partner with engineering teams to ensure corporate-wide security policies, guidelines and best practices are implemented.
• Consult and advise development teams by serving as a Subject Matter Expert in the area of application security. 
• Communicate complex technical security problems to technical and non-technical stakeholders. 
• Identify trends in security issues discovered through SSDLC. Train the engineering and development teams on common security findings and appropriate ways to mitigate the risk.
• Evangelize security with our cross-functional stakeholders and engineering teams. 
• Manage our private bug bounty and responsible disclosure programs through the vulnerability management lifecycle. 
• Execute various penetration test initiatives aimed at proactively identifying security weaknesses in our information assets (e.g. network, infrastructure, web applications, APIs, mobile applications, etc).

What you should have

• 3+ years of experience as an Engineer or Developer. 
• 3+ years of experience in Cyber Security.
• Deep technical expertise and proficiency in OAuth 2.0 and hands-on experience in implementing an authentication service in a corporate network with many microservices. 
• Deep technical expertise in various security domains such as web security (e.g. OWASP Top 10, CWE Top 25, etc.), secure coding practices, identity management, software development, cryptography, system administration, network security, etc. 
• Strong technical proficiency with multiple programming languages (e.g. C#, Python, JavaScript, Powershell, etc.). 
• Strong technical knowledge and experience with common security libraries, controls, common security flaws, and secure coding practices.
• Hands on experience embedding security tooling into the Secure Software Development Lifecycle (SSDLC).
• Exceptional analytical and problem solving skills. 
• Strong technical acumen, communication and influence skills.
• Self-starter that works with minimal guidance and supervision.
• Proven experience in recognizing complex problems and developing risk-based solutions to balance security and engineering requirements. 
• Deep technical proficiency with various build technologies, code repositories, and CI/CD pipeline processes. 
• Hands-on experience in cloud security environments (e.g. AWS, Azure, GCP, etc.) and containers (e.g. Dockers, Kubernetes, etc.). 
• Proven ability to drive influence and drive change with stakeholders with varying opinions on security topics.

It would be great if you also had

• Experience in working in a highly matrixed organization.
• Information Security Certification.

What we’ll offer in return

• Full-Time Salary Position with a competitive salary.
• Medical, Dental, and Vision benefits.
• 401K with company match.
• A multitude of perks including student loan payments, discounts on vehicles, benefits for your pets, and much more.
• A great wellness program to keep you healthy and happy both physically and mentally.
• Access to training and conference opportunities as well as great on-the-job training.
• A company culture of promotions from within, with a start-up atmosphere allowing for varied and rapid career development.

Other requirements

To be able to do your job at Carvana, there are some basic requirements we want to share with you.

• Must be able to read, write, speak, and understand English.
• Requires excellent visual acuity and manual dexterity.

Of course, we’ll make any reasonable accommodations for those with disabilities to perform the essential functions of their jobs. 

Legal stuff

Hiring is contingent on passing a complete background check. This role is not eligible for visa sponsorship.

Carvana is an equal employment opportunity employer. All applicants receive consideration for employment without regard to race, color, religion, gender, sexual orientation, gender identity or expression, marital status, national origin, age, mental or physical disability, protected veteran status, or genetic information, or any other basis protected by applicable law. Carvana also prohibits harassment of applicants or employees based on any of these protected categories.

Please note this job description is not designed to contain a comprehensive listing of activities, duties, or responsibilities that are required of the employee for this job. Duties, responsibilities, and activities may change at any time with or without notice.